2024-09-07 13:46:59 +00:00
|
|
|
package children
|
2021-04-20 21:31:37 +00:00
|
|
|
|
|
|
|
import (
|
2022-10-20 19:59:46 +00:00
|
|
|
"context"
|
|
|
|
"fmt"
|
2024-10-27 13:31:10 +00:00
|
|
|
"io"
|
2023-08-05 21:53:17 +00:00
|
|
|
"isle/bootstrap"
|
2024-09-07 13:11:04 +00:00
|
|
|
"isle/daemon/daecommon"
|
2024-10-27 13:31:10 +00:00
|
|
|
"isle/toolkit"
|
2024-12-12 19:51:13 +00:00
|
|
|
"isle/yamlutil"
|
2021-04-20 21:31:37 +00:00
|
|
|
"net"
|
|
|
|
"path/filepath"
|
2024-11-17 13:19:46 +00:00
|
|
|
"strconv"
|
2021-04-20 21:31:37 +00:00
|
|
|
|
2023-07-06 15:51:38 +00:00
|
|
|
"code.betamike.com/micropelago/pmux/pmuxlib"
|
2024-07-06 13:36:48 +00:00
|
|
|
"dev.mediocregopher.com/mediocre-go-lib.git/mctx"
|
|
|
|
"dev.mediocregopher.com/mediocre-go-lib.git/mlog"
|
2024-06-15 21:02:24 +00:00
|
|
|
"github.com/slackhq/nebula/cert"
|
2024-10-27 13:31:10 +00:00
|
|
|
"gopkg.in/yaml.v3"
|
2021-04-20 21:31:37 +00:00
|
|
|
)
|
|
|
|
|
2022-10-20 19:59:46 +00:00
|
|
|
// waitForNebula waits for the nebula interface to have been started up. It does
|
|
|
|
// this by attempting to create a UDP connection which has the nebula IP set as
|
|
|
|
// its source. If this succeeds we can assume that at the very least the nebula
|
|
|
|
// interface has been initialized.
|
2024-06-17 18:51:02 +00:00
|
|
|
func waitForNebula(
|
2024-07-06 13:36:48 +00:00
|
|
|
ctx context.Context, logger *mlog.Logger, hostBootstrap bootstrap.Bootstrap,
|
2024-06-17 18:51:02 +00:00
|
|
|
) error {
|
2024-07-06 13:36:48 +00:00
|
|
|
var (
|
2024-07-13 14:08:13 +00:00
|
|
|
ip = net.IP(hostBootstrap.ThisHost().IP().AsSlice())
|
2024-07-06 13:36:48 +00:00
|
|
|
lUDPAddr = &net.UDPAddr{IP: ip, Port: 0}
|
|
|
|
rUDPAddr = &net.UDPAddr{IP: ip, Port: 45535}
|
|
|
|
)
|
2021-04-20 21:31:37 +00:00
|
|
|
|
2024-07-06 13:36:48 +00:00
|
|
|
ctx = mctx.Annotate(ctx, "lUDPAddr", lUDPAddr, "rUDPAddr", rUDPAddr)
|
2021-04-20 21:31:37 +00:00
|
|
|
|
2024-07-06 13:36:48 +00:00
|
|
|
until(
|
|
|
|
ctx,
|
|
|
|
logger,
|
2024-10-27 13:31:10 +00:00
|
|
|
"Checking if nebula is online by creating UDP socket from nebula IP",
|
2024-07-06 13:36:48 +00:00
|
|
|
func(context.Context) error {
|
|
|
|
conn, err := net.DialUDP("udp", lUDPAddr, rUDPAddr)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
conn.Close()
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
)
|
2022-10-20 19:59:46 +00:00
|
|
|
|
2024-07-06 13:36:48 +00:00
|
|
|
return ctx.Err()
|
2022-10-20 19:59:46 +00:00
|
|
|
}
|
|
|
|
|
2024-07-19 18:49:04 +00:00
|
|
|
func nebulaConfig(
|
2024-12-12 21:02:00 +00:00
|
|
|
deviceNamer *NebulaDeviceNamer,
|
2024-09-10 20:51:33 +00:00
|
|
|
networkConfig daecommon.NetworkConfig,
|
2024-07-06 13:36:48 +00:00
|
|
|
hostBootstrap bootstrap.Bootstrap,
|
2022-10-26 21:21:31 +00:00
|
|
|
) (
|
2024-12-12 19:51:13 +00:00
|
|
|
any, error,
|
2022-10-26 21:21:31 +00:00
|
|
|
) {
|
2021-04-20 21:31:37 +00:00
|
|
|
var (
|
|
|
|
lighthouseHostIPs []string
|
2024-12-12 19:51:13 +00:00
|
|
|
staticHostMap = yamlutil.OrderedMap[string, []string]{}
|
2021-04-20 21:31:37 +00:00
|
|
|
)
|
|
|
|
|
2024-12-12 19:51:13 +00:00
|
|
|
for _, host := range hostBootstrap.HostsOrdered() {
|
2021-04-20 21:31:37 +00:00
|
|
|
|
|
|
|
if host.Nebula.PublicAddr == "" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2022-10-29 19:11:40 +00:00
|
|
|
ip := host.IP().String()
|
|
|
|
lighthouseHostIPs = append(lighthouseHostIPs, ip)
|
|
|
|
staticHostMap[ip] = []string{host.Nebula.PublicAddr}
|
2021-04-20 21:31:37 +00:00
|
|
|
}
|
|
|
|
|
2024-06-23 12:37:10 +00:00
|
|
|
caCertPEM, err := hostBootstrap.CAPublicCredentials.Cert.Unwrap().MarshalToPEM()
|
2024-06-15 21:02:24 +00:00
|
|
|
if err != nil {
|
2024-07-19 18:49:04 +00:00
|
|
|
return nil, fmt.Errorf("marshaling CA cert to PEM: :%w", err)
|
2024-06-15 21:02:24 +00:00
|
|
|
}
|
|
|
|
|
2024-06-23 12:37:10 +00:00
|
|
|
hostCertPEM, err := hostBootstrap.PublicCredentials.Cert.Unwrap().MarshalToPEM()
|
2024-06-15 21:02:24 +00:00
|
|
|
if err != nil {
|
2024-07-19 18:49:04 +00:00
|
|
|
return nil, fmt.Errorf("marshaling host cert to PEM: :%w", err)
|
2024-06-15 21:02:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
hostKeyPEM := cert.MarshalX25519PrivateKey(
|
|
|
|
hostBootstrap.PrivateCredentials.EncryptingPrivateKey.Bytes(),
|
|
|
|
)
|
|
|
|
|
2024-11-17 13:19:46 +00:00
|
|
|
firewall := networkConfig.VPN.Firewall
|
|
|
|
for _, alloc := range networkConfig.Storage.Allocations {
|
|
|
|
firewall.Inbound = append(
|
|
|
|
firewall.Inbound,
|
|
|
|
daecommon.ConfigFirewallRule{
|
|
|
|
Port: strconv.Itoa(alloc.S3APIPort),
|
|
|
|
Proto: "tcp",
|
|
|
|
Host: "any",
|
|
|
|
},
|
|
|
|
daecommon.ConfigFirewallRule{
|
|
|
|
Port: strconv.Itoa(alloc.RPCPort),
|
|
|
|
Proto: "tcp",
|
|
|
|
Host: "any",
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2024-12-12 19:51:13 +00:00
|
|
|
type m = yamlutil.OrderedMap[string, any]
|
|
|
|
|
|
|
|
config := m{
|
|
|
|
"pki": m{
|
2024-06-15 21:02:24 +00:00
|
|
|
"ca": string(caCertPEM),
|
|
|
|
"cert": string(hostCertPEM),
|
|
|
|
"key": string(hostKeyPEM),
|
2021-04-20 21:31:37 +00:00
|
|
|
},
|
|
|
|
"static_host_map": staticHostMap,
|
2024-12-12 19:51:13 +00:00
|
|
|
"punchy": m{
|
2021-04-20 21:31:37 +00:00
|
|
|
"punch": true,
|
|
|
|
"respond": true,
|
|
|
|
},
|
2024-12-12 19:51:13 +00:00
|
|
|
"tun": m{
|
2024-12-12 21:02:00 +00:00
|
|
|
"dev": deviceNamer.getName(
|
|
|
|
hostBootstrap.NetworkCreationParams.ID,
|
|
|
|
hostBootstrap.ThisHost().IP(),
|
|
|
|
),
|
2021-04-20 21:31:37 +00:00
|
|
|
},
|
2024-11-17 13:19:46 +00:00
|
|
|
"firewall": firewall,
|
2021-04-20 21:31:37 +00:00
|
|
|
}
|
|
|
|
|
2024-09-10 20:51:33 +00:00
|
|
|
if publicAddr := networkConfig.VPN.PublicAddr; publicAddr == "" {
|
2021-04-20 21:31:37 +00:00
|
|
|
|
2024-12-12 19:51:13 +00:00
|
|
|
config["listen"] = m{
|
2021-04-20 21:31:37 +00:00
|
|
|
"host": "0.0.0.0",
|
|
|
|
"port": "0",
|
|
|
|
}
|
|
|
|
|
2024-12-12 19:51:13 +00:00
|
|
|
config["lighthouse"] = m{
|
2021-04-20 21:31:37 +00:00
|
|
|
"hosts": lighthouseHostIPs,
|
|
|
|
}
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
2024-10-06 17:38:35 +00:00
|
|
|
host, port, err := net.SplitHostPort(publicAddr)
|
2021-04-20 21:31:37 +00:00
|
|
|
if err != nil {
|
2024-07-19 18:49:04 +00:00
|
|
|
return nil, fmt.Errorf(
|
|
|
|
"parsing public address %q: %w", publicAddr, err,
|
|
|
|
)
|
2021-04-20 21:31:37 +00:00
|
|
|
}
|
|
|
|
|
2024-10-06 17:38:35 +00:00
|
|
|
// This helps with integration testing, so we can set a test to listen
|
|
|
|
// on some local IP without conflicting with something else running on
|
|
|
|
// the host.
|
|
|
|
if hostIP := net.ParseIP(host); hostIP == nil || !hostIP.IsLoopback() {
|
|
|
|
host = "0.0.0.0"
|
|
|
|
}
|
|
|
|
|
2024-12-12 19:51:13 +00:00
|
|
|
config["listen"] = m{
|
2024-10-06 17:38:35 +00:00
|
|
|
"host": host,
|
2021-04-20 21:31:37 +00:00
|
|
|
"port": port,
|
|
|
|
}
|
|
|
|
|
2024-12-12 19:51:13 +00:00
|
|
|
config["lighthouse"] = m{
|
2021-04-20 21:31:37 +00:00
|
|
|
"hosts": []string{},
|
|
|
|
"am_lighthouse": true,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-07-19 18:49:04 +00:00
|
|
|
return config, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func nebulaWriteConfig(
|
2024-10-27 13:31:10 +00:00
|
|
|
ctx context.Context,
|
|
|
|
logger *mlog.Logger,
|
2024-07-19 18:49:04 +00:00
|
|
|
runtimeDirPath string,
|
2024-12-12 21:02:00 +00:00
|
|
|
deviceNamer *NebulaDeviceNamer,
|
2024-09-10 20:51:33 +00:00
|
|
|
networkConfig daecommon.NetworkConfig,
|
2024-07-19 18:49:04 +00:00
|
|
|
hostBootstrap bootstrap.Bootstrap,
|
|
|
|
) (
|
2024-10-27 13:31:10 +00:00
|
|
|
string, bool, error,
|
2024-07-19 18:49:04 +00:00
|
|
|
) {
|
2024-12-12 21:02:00 +00:00
|
|
|
config, err := nebulaConfig(deviceNamer, networkConfig, hostBootstrap)
|
2024-07-19 18:49:04 +00:00
|
|
|
if err != nil {
|
2024-10-27 13:31:10 +00:00
|
|
|
return "", false, fmt.Errorf("creating nebula config: %w", err)
|
2024-07-19 18:49:04 +00:00
|
|
|
}
|
|
|
|
|
2024-06-17 18:51:02 +00:00
|
|
|
nebulaYmlPath := filepath.Join(runtimeDirPath, "nebula.yml")
|
2021-04-20 21:31:37 +00:00
|
|
|
|
2024-10-27 13:31:10 +00:00
|
|
|
changed, err := toolkit.WriteFileCheckChanged(
|
|
|
|
ctx, logger, nebulaYmlPath, 0600, func(w io.Writer) error {
|
|
|
|
return yaml.NewEncoder(w).Encode(config)
|
|
|
|
},
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return "", false, fmt.Errorf(
|
|
|
|
"writing nebula.yml to %q: %w", nebulaYmlPath, err,
|
|
|
|
)
|
2024-07-19 18:49:04 +00:00
|
|
|
}
|
|
|
|
|
2024-10-27 13:31:10 +00:00
|
|
|
return nebulaYmlPath, changed, nil
|
2024-07-19 18:49:04 +00:00
|
|
|
}
|
|
|
|
|
2024-10-29 14:11:13 +00:00
|
|
|
func nebulaPmuxProc(
|
2024-10-27 13:31:10 +00:00
|
|
|
ctx context.Context,
|
|
|
|
logger *mlog.Logger,
|
2024-07-19 18:49:04 +00:00
|
|
|
runtimeDirPath, binDirPath string,
|
2024-12-12 21:02:00 +00:00
|
|
|
deviceNamer *NebulaDeviceNamer,
|
2024-09-10 20:51:33 +00:00
|
|
|
networkConfig daecommon.NetworkConfig,
|
2024-07-19 18:49:04 +00:00
|
|
|
hostBootstrap bootstrap.Bootstrap,
|
|
|
|
) (
|
2024-10-29 14:11:13 +00:00
|
|
|
*pmuxlib.Process, error,
|
2024-07-19 18:49:04 +00:00
|
|
|
) {
|
2024-10-27 13:31:10 +00:00
|
|
|
nebulaYmlPath, _, err := nebulaWriteConfig(
|
2024-12-12 21:02:00 +00:00
|
|
|
ctx, logger, runtimeDirPath, deviceNamer, networkConfig, hostBootstrap,
|
2024-10-27 13:31:10 +00:00
|
|
|
)
|
2024-07-19 18:49:04 +00:00
|
|
|
if err != nil {
|
2024-10-29 14:11:13 +00:00
|
|
|
return nil, fmt.Errorf("writing nebula config: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
cfg := pmuxlib.ProcessConfig{
|
|
|
|
Cmd: filepath.Join(binDirPath, "nebula"),
|
|
|
|
Args: []string{"-config", nebulaYmlPath},
|
2021-04-20 21:31:37 +00:00
|
|
|
}
|
2024-10-29 14:11:13 +00:00
|
|
|
cfg = withPmuxLoggers(ctx, logger, "nebula", cfg)
|
2021-04-20 21:31:37 +00:00
|
|
|
|
2024-10-29 14:11:13 +00:00
|
|
|
return pmuxlib.NewProcess(cfg), nil
|
2021-04-20 21:31:37 +00:00
|
|
|
}
|